VAR-202004-0373
Vulnerability from variot - Updated: 2023-12-18 13:01TP-Link NC200 through 2.1.8_Build_171109, NC210 through 1.0.9_Build_171214, NC220 through 1.3.0_Build_180105, NC230 through 1.3.0_Build_171205, NC250 through 1.3.0_Build_171205, NC260 through 1.5.1_Build_190805, and NC450 through 1.5.0_Build_181022 devices allow a remote NULL Pointer Dereference. plural TP-Link On the device NULL A vulnerability exists regarding pointer dereference.Service operation interruption (DoS) It may be put into a state. Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference Author: Pietro Oliva CVE: CVE-2020-10231 Vendor: TP-LINK Product: NC200, NC210, NC220, NC230, NC250, NC260, NC450 Affected version: NC200 <= 2.1.8 build 171109, NC210 <= 1.0.9 build 171214, NC220 <= 1.3.0 build 180105, NC230 <= 1.3.0 build 171205, NC250 <= 1.3.0 build 171205, NC260 <= 1.5.1 build 190805, NC450 <= 1.5.0 build 181022
Description: The issue is located in the httpLoginRpm method of the ipcamera binary (handler method for /login.fcgi), where after successful login, there is no check for NULL in the return value of httpGetEnv(environment, "HTTP_USER_AGENT"). Shortly after that, there is a call to strstr(user_agent_string, "Firefox") and if a User-Agent header is not specified by the client, httpGetEnv will return NULL, and a NULL pointer dereference occurs when calling strstr, with consequent crash of the ipcamera process.
Impact: After the crash, the web interface on port 80 will not be available anymore.
Exploitation: An attacker could exploit this issue by just sending a login request with valid credentials (such as admin or limited user), but without an user-agent HTTP header. Default credentials can be used to bypass the credentials requirement.
Evidence: The disassembly of affected code from an NC200 camera is shown below:
0x0047dca0 lw a0, (user_arg) 0x0047dca4 lw a1, (password_arg) 0x0047dca8 lw t9, -sym.swUMMatchPassword(gp) 0x0047dcac nop 0x0047dcb0 jalr t9 0x0047dcb4 nop 0x0047dcb8 lw gp, (saved_gp) 0x0047dcbc sw v0, (auth_result) 0x0047dcc0 lw v0, (auth_result) 0x0047dcc4 nop 0x0047dcc8 bnez v0, 0x47de34 0x0047dccc nop 0x0047dcd0 sw zero, (arg_54h) 0x0047dcd4 lw a0, (environment) 0x0047dcd8 lw a1, -0x7fe4(gp) 0x0047dcdc nop 0x0047dce0 addiu a1, a1, -0x7cb0 ; "HTTP_USER_AGENT" 0x0047dce4 lw t9, -sym.httpGetEnv(gp) 0x0047dce8 nop 0x0047dcec jalr t9 0x0047dcf0 nop 0x0047dcf4 lw gp, (saved_gp) 0x0047dcf8 sw v0, (user_agent_ptr) 0x0047dcfc lw a0, (user_agent_ptr) ; <== This pointer could be NULL 0x0047dd00 lw a1, -0x7fe4(gp) 0x0047dd04 nop 0x0047dd08 addiu a1, a1, -0x7ca0 ; "Firefox" 0x0047dd0c lw t9, -sym.imp.strstr(gp) 0x0047dd10 nop 0x0047dd14 jalr t9
Disclosure timeline:
2nd December 2019 - Initial vulnerability report for NC200.
4th December 2019 - Vendor confirms vulnerablity but does not start fixing due to the product being end-of-life.
4th December 2019 - Notified vendor the vulnerability details will be public and it should be fixed.
6th December 2019 - Thanks for your opinion, we will discuss and write back to you.
7th February 2020 - Notified vendor issue exists on NC450 and possibly all models in between. Fixed a disclosure deadline in 30 days.
8th February 2020 - Vendor: We will check but please be patient.
18th February 2020 - We failed to reproduce the issue with the provided PoC.
24th February 2020 - Reverse engineered all the firmware images on behalf of the vendor and notified they were all vulnerable.
2nd March 2020 - Vendor asks to check fixes for NC200.
2nd March 2020 - Confirmed fix. Asked the vendor to do the same on all cameras.
3rd March 2020 - Vendor will check on other cameras, but will take some time.
3rd March 2020 - Asked the vendor to be quick.
9th March 2020 - Notified CVE identifier to vendor, gave extra week to patch.
9th March 2020 - Vendor is testing fix on all models.
13th March 2020 - Vendor asks to confirm fixes.
13th March 2020 - Confirmed fixes and asked the vendor to publish updates. Disclosure delayed one week to give some time to patch if the vendor published firmware updates.
29th March 2020 - No updates have been made public by the vendor. Releasing details to the public after almost 4 months from initial notification
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202004-0373",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "nc260",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.0.5"
},
{
"model": "nc450",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.1.1"
},
{
"model": "nc260",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.0.6"
},
{
"model": "nc250",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.3.0"
},
{
"model": "nc200",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "2.1.6"
},
{
"model": "nc220",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.1.14"
},
{
"model": "nc210",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.0.9"
},
{
"model": "nc450",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.1.6"
},
{
"model": "nc220",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.3.0"
},
{
"model": "nc230",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.3.0"
},
{
"model": "nc260",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.5.1"
},
{
"model": "nc450",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.5.0"
},
{
"model": "nc200",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "2.1.7"
},
{
"model": "nc220",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.2.0"
},
{
"model": "nc450",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.1.2"
},
{
"model": "nc200",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "2.1.8"
},
{
"model": "nc220",
"scope": "eq",
"trust": 1.0,
"vendor": "tp link",
"version": "1.1.12"
},
{
"model": "nc200",
"scope": "eq",
"trust": 0.8,
"vendor": "tp link",
"version": "2.1.8_build_171109"
},
{
"model": "nc210",
"scope": "eq",
"trust": 0.8,
"vendor": "tp link",
"version": "1.0.9_build_171214"
},
{
"model": "nc220",
"scope": "eq",
"trust": 0.8,
"vendor": "tp link",
"version": "1.3.0_build_180105"
},
{
"model": "nc230",
"scope": "eq",
"trust": 0.8,
"vendor": "tp link",
"version": "1.3.0_build_171205"
},
{
"model": "nc250",
"scope": "eq",
"trust": 0.8,
"vendor": "tp link",
"version": "1.3.0_build_171205"
},
{
"model": "nc260",
"scope": "eq",
"trust": 0.8,
"vendor": "tp link",
"version": "1.3.0_build_171205"
},
{
"model": "nc450",
"scope": "eq",
"trust": 0.8,
"vendor": "tp link",
"version": "1.5.0_build_181022"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"db": "NVD",
"id": "CVE-2020-10231"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc450_firmware:1.1.1:160928:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc450_firmware:1.1.2:161013:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc450_firmware:1.1.6:161124:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc450_firmware:1.5.0:181022:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:tp-link:nc450:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc260_firmware:1.0.5:160804:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc260_firmware:1.0.6:161114:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc260_firmware:1.5.1:190805:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:tp-link:nc260:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc250_firmware:1.3.0:171205:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:tp-link:nc250:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc230_firmware:1.3.0:171205:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:tp-link:nc230:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc220_firmware:1.1.12:160321_a:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc220_firmware:1.1.12:160321_b:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc220_firmware:1.1.14:161219:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc220_firmware:1.2.0:170516:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc220_firmware:1.3.0:180105:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:tp-link:nc220:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc210_firmware:1.0.9:171214:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:tp-link:nc210:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
},
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc200_firmware:2.1.6:160108_a:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc200_firmware:2.1.6:160108_b:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc200_firmware:2.1.7:160315_a:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc200_firmware:2.1.7:160315_b:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:tp-link:nc200_firmware:2.1.8:171109:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:h:tp-link:nc200:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10231"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Pietro Oliva",
"sources": [
{
"db": "PACKETSTORM",
"id": "157048"
}
],
"trust": 0.1
},
"cve": "CVE-2020-10231",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-003917",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.5,
"baseSeverity": "High",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "JVNDB-2020-003917",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2020-10231",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2020-003917",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-013",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"db": "NVD",
"id": "CVE-2020-10231"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-013"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "TP-Link NC200 through 2.1.8_Build_171109, NC210 through 1.0.9_Build_171214, NC220 through 1.3.0_Build_180105, NC230 through 1.3.0_Build_171205, NC250 through 1.3.0_Build_171205, NC260 through 1.5.1_Build_190805, and NC450 through 1.5.0_Build_181022 devices allow a remote NULL Pointer Dereference. plural TP-Link On the device NULL A vulnerability exists regarding pointer dereference.Service operation interruption (DoS) It may be put into a state. Vulnerability title: TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference\nAuthor: Pietro Oliva\nCVE: CVE-2020-10231\nVendor: TP-LINK\nProduct: NC200, NC210, NC220, NC230, NC250, NC260, NC450\nAffected version: NC200 \u003c= 2.1.8 build 171109, NC210 \u003c= 1.0.9 build 171214,\n NC220 \u003c= 1.3.0 build 180105, NC230 \u003c= 1.3.0 build 171205,\n NC250 \u003c= 1.3.0 build 171205, NC260 \u003c= 1.5.1 build 190805,\n NC450 \u003c= 1.5.0 build 181022\n\nDescription:\nThe issue is located in the httpLoginRpm method of the ipcamera binary (handler\nmethod for /login.fcgi), where after successful login, there is no check for\nNULL in the return value of httpGetEnv(environment, \"HTTP_USER_AGENT\"). Shortly\nafter that, there is a call to strstr(user_agent_string, \"Firefox\") and if a\nUser-Agent header is not specified by the client, httpGetEnv will return NULL,\nand a NULL pointer dereference occurs when calling strstr, with consequent crash\nof the ipcamera process. \n\nImpact:\nAfter the crash, the web interface on port 80 will not be available anymore. \n\nExploitation:\nAn attacker could exploit this issue by just sending a login request with valid\ncredentials (such as admin or limited user), but without an user-agent HTTP\nheader. Default credentials can be used to bypass the credentials requirement. \n\nEvidence:\nThe disassembly of affected code from an NC200 camera is shown below:\n\n0x0047dca0 lw a0, (user_arg)\n0x0047dca4 lw a1, (password_arg)\n0x0047dca8 lw t9, -sym.swUMMatchPassword(gp)\n0x0047dcac nop\n0x0047dcb0 jalr t9\n0x0047dcb4 nop\n0x0047dcb8 lw gp, (saved_gp)\n0x0047dcbc sw v0, (auth_result)\n0x0047dcc0 lw v0, (auth_result)\n0x0047dcc4 nop\n0x0047dcc8 bnez v0, 0x47de34\n0x0047dccc nop\n0x0047dcd0 sw zero, (arg_54h)\n0x0047dcd4 lw a0, (environment)\n0x0047dcd8 lw a1, -0x7fe4(gp)\n0x0047dcdc nop\n0x0047dce0 addiu a1, a1, -0x7cb0 ; \"HTTP_USER_AGENT\"\n0x0047dce4 lw t9, -sym.httpGetEnv(gp)\n0x0047dce8 nop\n0x0047dcec jalr t9\n0x0047dcf0 nop\n0x0047dcf4 lw gp, (saved_gp)\n0x0047dcf8 sw v0, (user_agent_ptr)\n0x0047dcfc lw a0, (user_agent_ptr) ; \u003c== This pointer could be NULL\n0x0047dd00 lw a1, -0x7fe4(gp)\n0x0047dd04 nop\n0x0047dd08 addiu a1, a1, -0x7ca0 ; \"Firefox\"\n0x0047dd0c lw t9, -sym.imp.strstr(gp)\n0x0047dd10 nop\n0x0047dd14 jalr t9\n\n\nDisclosure timeline:\n\n2nd December 2019 - Initial vulnerability report for NC200. \n\n4th December 2019 - Vendor confirms vulnerablity but does not start fixing\n due to the product being end-of-life. \n\n4th December 2019 - Notified vendor the vulnerability details will be public\n and it should be fixed. \n\n6th December 2019 - Thanks for your opinion, we will discuss and write back\n to you. \n\n\u003csilence\u003e\n\n7th February 2020 - Notified vendor issue exists on NC450 and possibly all\n models in between. Fixed a disclosure deadline in 30 days. \n\n8th February 2020 - Vendor: We will check but please be patient. \n\n18th February 2020 - We failed to reproduce the issue with the provided PoC. \n\n\u003ctrying to troubleshoot\u003e\n\n24th February 2020 - Reverse engineered all the firmware images on behalf of\n the vendor and notified they were all vulnerable. \n\n2nd March 2020 - Vendor asks to check fixes for NC200. \n\n2nd March 2020 - Confirmed fix. Asked the vendor to do the same on all cameras. \n\n3rd March 2020 - Vendor will check on other cameras, but will take some time. \n\n3rd March 2020 - Asked the vendor to be quick. \n\n9th March 2020 - Notified CVE identifier to vendor, gave extra week to patch. \n\n9th March 2020 - Vendor is testing fix on all models. \n\n13th March 2020 - Vendor asks to confirm fixes. \n\n13th March 2020 - Confirmed fixes and asked the vendor to publish updates. \n Disclosure delayed one week to give some time to patch if\n the vendor published firmware updates. \n\n29th March 2020 - No updates have been made public by the vendor. Releasing\n details to the public after almost 4 months from initial\n notification",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10231"
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"db": "PACKETSTORM",
"id": "157048"
}
],
"trust": 1.71
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "157048",
"trust": 2.5
},
{
"db": "NVD",
"id": "CVE-2020-10231",
"trust": 2.5
},
{
"db": "JVNDB",
"id": "JVNDB-2020-003917",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-013",
"trust": 0.6
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"db": "PACKETSTORM",
"id": "157048"
},
{
"db": "NVD",
"id": "CVE-2020-10231"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-013"
}
]
},
"id": "VAR-202004-0373",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.41025642
},
"last_update_date": "2023-12-18T13:01:47.616000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.tp-link.com.cn/"
},
{
"title": "Multiple TP-Link Product code issue vulnerability fixes",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=117071"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-013"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-476",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"db": "NVD",
"id": "CVE-2020-10231"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "http://packetstormsecurity.com/files/157048/tp-link-cloud-cameras-ncxxx-remote-null-pointer-dereference.html"
},
{
"trust": 1.6,
"url": "http://seclists.org/fulldisclosure/2020/apr/5"
},
{
"trust": 1.6,
"url": "http://seclists.org/fulldisclosure/2020/mar/54"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10231"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10231"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"db": "PACKETSTORM",
"id": "157048"
},
{
"db": "NVD",
"id": "CVE-2020-10231"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-013"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"db": "PACKETSTORM",
"id": "157048"
},
{
"db": "NVD",
"id": "CVE-2020-10231"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-013"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-30T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"date": "2020-04-01T15:24:43",
"db": "PACKETSTORM",
"id": "157048"
},
{
"date": "2020-04-01T14:15:14.727000",
"db": "NVD",
"id": "CVE-2020-10231"
},
{
"date": "2020-04-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-013"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-30T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2020-003917"
},
{
"date": "2020-05-12T14:09:03.317000",
"db": "NVD",
"id": "CVE-2020-10231"
},
{
"date": "2022-07-01T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-013"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "157048"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-013"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural TP-Link On the device NULL Pointer dereference vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2020-003917"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-013"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…